squid 2.6 transparent proxy

In case you used squid 2.5 to create a transparent proxy and you decided to switch to 2.6 or this is the first time you try to set up a transparent proxy and most/all of the tutorials out there are for squid 2.5 here is a brief howto for this setup.

In squid 2.6 the configuration options: httpd_accel_host httpd_accel_port httpd_accel_with_proxy httpd_accel_uses_host_header are not defined anymore ( see squid 2.6 release notes ), so if you are using them in your config file squid will give you an error like "parseConfigFile: line 41 unrecognized: 'httpd_accel_host virtual'" and will refuse to start.

To activate transparent proxy in squid 2.6 all you have to do is use the "tranparent" option on http_port. Something like:

http_port 3128 transparent

Of course squid has to be compiled with transparent proxy support for netfilter (iptables) by adding --enable-linux-netfilter to the ./configure line, the linux kernel needs to be compiled with netfilter and you will also need a rule in iptables that will redirect packets from your local network interface with a destination port 80 to the port squid is listening on.

Assuming your local network interface is eth1 and squid listens on port 3128 here is the rule that has to be added to iptables:

I just came across this proxy and was wondering if you guys can help me out. I have the classic 192.168.0.0 subnet running at my organization with a hardware router that is also the gateway. I’ve been trying to get squid 2.6, running on Debian Etch with kernel 2.6, but with no success. I’ve gotten it to work by setting my IE to use a proxy but it doesn’t seem to want to work transparently. I’ve entered the iptables entry but still, same result. My setup is below:

do you have ip forwarding enabled ? cat /proc/sys/net/ipv4/ip_forward should show 1. if not then : echo 1 > /proc/sys/net/ipv4/ip_forward and if you want this to work after a reboot put it somewhere like rc.local or /etc/sysctl.conf

I appreciate the help bro. I edited my sysctl.conf file and added net.ipv4.ip_forward = 1 to it. So whenever I reboot, it automatically turns on ip forwarding. So I am not doing ehco 1 > /proc/sys/net/ipv4/ip_forward.

Oh so it will not work if it’s not the gateway? I have it set as a node on my lan because I have a hardware firewall, a Netopia Router. Do you know of anyway to make transparent proxy work in this type of scenerio?

Of course it will not work. How would it be able to redirect packets to squid if the packets don’t even get to it? You can set this as the gateway and still use your hardware router, but you have to add another rule to POSTROUTING.

you can use just one interface if you want and it can act as both an external and internal interface but you have to set it up to have two different ips ( in two different classes ) one for connecting to the hardware router and the other for your local network. You also have to set your workstations on your lan to have an ip in the same class as the one you set on your server for the local interface, and make the workstations use the server’s ip as the gateway not the hardware router.

Rocky, you might be able to make it work in your scenario. You may be able to use WCCP or policy based routing.

For WCCP you have to have a WCCP capable device in the path of the web traffic. So if either your firewall or router can do this, have a look at the squid wiki and the docs for the router for setting up WCCP. I have it working with a cisco, works fine and isnt too hard to set up.

Policy routing is then you match traffic based on source, destination or port (or other things), then do something special to it. An example of this would be to match all web traffic passing through your router destined for an external address, you then redirect that traffic to your squid box. This all depends on how smart your router is.

In either of these the squid box does not need to be in the direct path to see all your traffic, you just need one of your existing devices to have one or both of the above so it can flick web traffic to squid and send the rest the usual way.

The names of the directives seem to have changed in squid 2.6. Look at the comments in /etc/squid/squid.conf regarding transparent mode. Also see the sections pertaining to squid 2.6 in the second document:

even i was struggling with a transperant proxy with squid 2.6 and i am still strugling with it ! perhaps the default squid that comes with 10.3 isnt configured to be trasperant – i know this sounds lame but what else could be the solution….

httpd_accel commands are throwing errors , pre-routing and post routing doesnt work – i dont see no other justified answer to this other that – squid need to be compiled again with –enable-linux-netfilter